Containerd高级命令行工具nerdctl

nerdctl

1,安装

在github上下载相应的二进制包解压:

# 如果没有安装 containerd,则可以下载 nerdctl-full-<VERSION>-linux-amd64.tar.gz 包进行安装
wget https://github.com/containerd/nerdctl/releases/download/v0.11.0/nerdctl-0.11.0-linux-amd64.tar.gz
# 如果有限制,也可以替换成下面的 URL 加速下载
wget https://download.fastgit.org/containerd/nerdctl/releases/download/v0.11.0/nerdctl-0.11.0-linux-amd64.tar.gz
mkdir -p /usr/local/containerd/bin/ && tar -zxvf nerdctl-0.11.0-linux-amd64.tar.gz nerdctl && mv nerdctl /usr/local/containerd/bin/
ln -s /usr/local/containerd/bin/nerdctl /usr/local/bin/nerdctl
[root@one ~]# nerdctl version 
Client:
 Version:   v0.11.0
 Git commit:    c802f934791f83dacf20a041cd1c865f8fac954e

Server:
 containerd:
  Version:  v1.5.5
  Revision: 72cec4be58a9eb6b2910f5d10f1c01ca47d231c0

2,命令行工具使用

1,Run & Exec
nerdctl run

nerdctl rundocker run类似,可以使用nerdctl run命令运行容器。

[root@one ~]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:latest
docker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:61face6bf030edce7ef6d7dd66fe452298d6f5f7ce032afdd01683ef02b2b841: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:fa5269854a5e615e51a72b17ad3fd1e01268f278a6684c8ed3c5f0cdce3f230b:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:93e404ba8667c79caef3367388107d653d53c3ff8cd885fca19de1cdd13ac685:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:1fe172e4850f03bb45d41a20174112bc119fbfec42a650edbbd8491aee32e3c3:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:35c195f487df68cfbbecd2870aefb0ea52015fdb9ef15fd780838efc675dba45:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:213b9b16f4959ca5e12777fa9977f178cf778f615f893f859f2a4ce19838c485:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:a8172d9e19b90893f2eda38b25c9095c9822c924d7a44c7eeb44b30b0a639b9e:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:f5eee2cb2150b290f85c57dd78b1470b77819b511d092c9be1b10876ca48b885:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 70.5s                                                                    total:  54.1 M (785.8 KiB/s)                                     
9aafb7429972aadbc7c8ba57ebf933b84a21d2c615c9208f6b9ff9688879c36a

可选参数使用和docker run基本一致,比如-i -t --cpus --memory等选项,可以使用nerdctl run --help查看使用参数:

nerdctl exec

同样可以使用exec执行容器相关命令

[root@one ~]# nerdctl exec -it nginx date 
Fri May  6 02:15:29 UTC 2022

3,容器管理

nerdctl ps:(列出容器)
[root@one ~]# nerdctl ps 
CONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS    PORTS                 NAMES
533b75d795c7    docker.io/library/nginx:latest    "/docker-entrypoint.…"    3 minutes ago    Up        0.0.0.0:80->80/tcp    nginx

同样可以使用-a选项列出所有的容器列表,不过需要注意的是nerdctl ps并没有实现docker ps 下面的--filter--format--last--size等选项

nerdctl inspect :(查看容器详细信息)
[root@one ~]# nerdctl inspect 4255bd2c93b6
[
   {
       "Id": "4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe",
       "Created": "2022-05-06T02:26:10.070899995Z",
       "Path": "/docker-entrypoint.sh",
       "Args": [
           "nginx",
           "-g",
           "daemon off;"
       ],
       "State": {
           "Status": "running",
           "Running": true,
           "Paused": false,
           "Pid": 31509,
           "ExitCode": 0,
           "FinishedAt": "0001-01-01T00:00:00Z"
       },
       "Image": "docker.io/library/nginx:alpine",
       "ResolvConfPath": "/var/lib/nerdctl/1935db59/containers/default/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe/resolv.conf",
       "LogPath": "/var/lib/nerdctl/1935db59/containers/default/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe/4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe-json.log",
       "Name": "nginx",
       "Driver": "overlayfs",
       "Platform": "linux",
       "AppArmorProfile": "",
       "NetworkSettings": {
           "Ports": {
               "80/tcp": [
                   {
                       "HostIp": "0.0.0.0",
                       "HostPort": "80"
                   }
               ]
           },
           "GlobalIPv6Address": "",
           "GlobalIPv6PrefixLen": 0,
           "IPAddress": "10.4.0.7",
           "IPPrefixLen": 24,
           "MacAddress": "46:fd:f7:a8:c7:c2",
           "Networks": {
               "unknown-eth0": {
                   "IPAddress": "10.4.0.7",
                   "IPPrefixLen": 24,
                   "GlobalIPv6Address": "",
                   "GlobalIPv6PrefixLen": 0,
                   "MacAddress": "46:fd:f7:a8:c7:c2"
               }
           }
       }
   }
]

nerdctl logs :(获取容器日志)
[root@one ~]# nerdctl logs nginx 
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

同样也支持-f -t -n --since --until 这些选项

nerdctl stop(停止容器)
[root@one ~]# nerdctl stop nginx 
nginx
nerdctl rm :(删除容器)
[root@one ~]# nerdctl rm nginx 
You cannot remove a running container 4255bd2c93b62ddfabd83176daab6f1799ccd0f7101e2f8491b3bac2622dbdfe. Stop the container before attempting removal or force remove
[root@one ~]# nerdctl rm -f nginx 
nginx

要强制删除同样可以使用 -f--force 选项来操作。

4,镜像管理

nerdctl images (镜像列表)
[root@one ~]# nerdctl images 
REPOSITORY    TAG       IMAGE ID        CREATED              SIZE
nginx         alpine    5a0df7fb7c8c    5 days ago           16.0 KiB
nginx         latest    859ab6768a6f    About an hour ago    16.0 KiB

nerdctl pull (拉取镜像)
[root@one ~]# nerdctl pull docker.io/library/busybox:latest
docker.io/library/busybox:latest:                                                 resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:52f431d980baa76878329b68ddb69cb124c25efa6e206d8b0bd797a828f0528e: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:1a80408de790c0b1075d0a7e23ff7da78b311f85f36ea10098e4a6184c200964:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:50e8d59317eb665383b2ef4d9434aeaa394dcd6f54b96bb7810fdde583e9c2d1:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 7.9 s 
nerdctl push (推送镜像)

推送镜像之前也可以使用nerdctl login命令登录到镜像仓库然后再执行push操作
可以使用nerdctl login --username xxx --password xxx进行登录,使用nerdctl logout注销登录

nerdctl tag (镜像标签)

使用tag命令可以给镜像创建一个别名镜像

[root@one ~]# nerdctl tag busybox:latest ccr.ccs.tencentyun.com/piao/busybox:latest 
[root@one ~]# 
[root@one ~]# 
[root@one ~]# nerdctl images 
REPOSITORY                             TAG       IMAGE ID        CREATED          SIZE
ccr.ccs.tencentyun.com/piao/busybox    latest    d2b53584f580    5 seconds ago    1.3 MiB
busybox                                latest    d2b53584f580    3 hours ago      1.3 MiB
nginx                                  alpine    5a0df7fb7c8c    5 days ago       16.0 KiB
nginx                                  latest    859ab6768a6f    4 hours ago      16.0 KiB

nerdctl save(导出镜像)
[root@one full]# nerdctl save -o busybox.tag.gz busybox:latest 
[root@one full]# ll 
total 768
-rw-r--r-- 1 root root 785408 May  6 14:49 busybox.tag.gz

cerdctl rmi (删除镜像)
[root@one full]# nerdctl rmi ccr.ccs.tencentyun.com/piao/busybox:latest-tmp-single
Untagged: ccr.ccs.tencentyun.com/piao/busybox:latest-tmp-single@sha256:32e2a03e361974976d474a54e5477db24947960cb1f858a45d2c680b090cadd9
Deleted: sha256:eb6b01329ebe73e209e44a616a0e16c2b8e91de6f719df9c35e6cdadadbe5965

nerdctl load (导入镜像)
[root@one full]# nerdctl load -i busybox.tag.gz 
unpacking docker.io/library/busybox:latest (sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8)...done
unpacking overlayfs@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8 (sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8)...done

5,镜像构建

镜像构建是平时非常重要的一个需求。但是ctr没有构建镜像的命令,现在又不使用docker,但是nerdctl 就提供了nerdctl build这样的镜像构建命令

nerdctl build (Dockerfile构建镜像)

编辑一个Dockerfile

FROM nginx:latest
RUN echo "hello word" >/usr/share/nginx/html/index.html

构建镜像

[root@one full]# nerdctl build -t nginx:nerdctl -f Dockerfile 
FATA[0000] `buildctl` needs to be installed and `buildkitd` needs to be running, see https://github.com/moby/buildkit: exec: "buildctl": executable file not found in $PATH 

提示一个错误,需要安装buildctl 并运行buildkiyd,是因为nerdctl build需要依赖buildkitd工具
buildkitd项目也是docker公司开源的一个构建工具包,支持OCI标准的镜像构建,主要包含一下部分:
服务端buildkitd:当前支持runc和containerd作为worker,默认是runc。这里我使用的是containerd
客户端buildctl:负责解析Dockerfile,并向服务端buildkitd发出构建请求
buildkitd是典型的C/S架构,客户端和服务端是可以在不同服务器上,而nerdctl在构建镜像的时候作为buildkitd的客户端,所以需要安装并运行buildkitd

2,安装buildkitd
wget https://github.com/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz
# 如果有限制,也可以替换成下面的 URL 加速下载
wget https://download.fastgit.org/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz
tar -zxvf buildkit-v0.9.0.linux-amd64.tar.gz -C /usr/local/containerd/
bin/
bin/buildctl
bin/buildkit-qemu-aarch64
bin/buildkit-qemu-arm
bin/buildkit-qemu-i386
bin/buildkit-qemu-mips64
bin/buildkit-qemu-mips64el
bin/buildkit-qemu-ppc64le
bin/buildkit-qemu-riscv64
bin/buildkit-qemu-s390x
bin/buildkit-runc
bin/buildkitd 
ln -s /usr/local/containerd/bin/buildkitd /usr/local/bin/buildkitd
ln -s /usr/local/containerd/bin/buildctl /usr/local/bin/buildctl

使用systemd来管理buildkitd

cat /etc/systemd/system/buildkit.service
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

启动buildkitd

systemctl daemon-reload 
systemctl enable buildkit.service --now

重新构建镜像:

[root@one full]# nerdctl build --no-cache -t nginx:nerdctl -f Dockerfile .
[+] Building 9.2s (6/6) FINISHED                                                                                                                                                                                                                                           
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                                  0.1s
 => => transferring dockerfile: 111B                                                                                                                                                                                                                                  0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                     0.1s
 => => transferring context: 2B                                                                                                                                                                                                                                       0.0s
 => [internal] load metadata for docker.io/library/nginx:latest                                                                                                                                                                                                       3.6s
 => [1/2] FROM docker.io/library/nginx:latest@sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097                                                                                                                                                 2.5s
 => => resolve docker.io/library/nginx:latest@sha256:859ab6768a6f26a79bc42b231664111317d095a4f04e4b6fe79ce37b3d199097                                                                                                                                                 0.0s
 => => extracting sha256:1fe172e4850f03bb45d41a20174112bc119fbfec42a650edbbd8491aee32e3c3                                                                                                                                                                             1.3s
 => => extracting sha256:35c195f487df68cfbbecd2870aefb0ea52015fdb9ef15fd780838efc675dba45                                                                                                                                                                             1.0s
 => => extracting sha256:213b9b16f4959ca5e12777fa9977f178cf778f615f893f859f2a4ce19838c485                                                                                                                                                                             0.0s
 => => extracting sha256:a8172d9e19b90893f2eda38b25c9095c9822c924d7a44c7eeb44b30b0a639b9e                                                                                                                                                                             0.0s
 => => extracting sha256:f5eee2cb2150b290f85c57dd78b1470b77819b511d092c9be1b10876ca48b885                                                                                                                                                                             0.0s
 => => extracting sha256:93e404ba8667c79caef3367388107d653d53c3ff8cd885fca19de1cdd13ac685                                                                                                                                                                             0.1s
 => [2/2] RUN echo "hello word" >/usr/share/nginx/html/index.html                                                                                                                                                                                                     0.3s
 => exporting to oci image format                                                                                                                                                                                                                                     2.4s
 => => exporting layers                                                                                                                                                                                                                                               0.4s
 => => exporting manifest sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913                                                                                                                                                                     0.0s
 => => exporting config sha256:857f00a5a814fe7d57903278cdcd13e0e3febe00967eb0aef83bea4186a92812                                                                                                                                                                       0.0s
 => => sending tarball                                                                                                                                                                                                                                                2.0s
unpacking docker.io/library/nginx:nerdctl (sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913)...done
unpacking overlayfs@sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913 (sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913)...done
[root@one full]# 

查看构建的镜像

[root@one full]# nerdctl images 
WARN[0000] unparsable image name "overlayfs@sha256:31645ca78f4a079aa09136e73fe7e60e016f7615f42cf98e8c0146f20cb2d913" 
WARN[0000] unparsable image name "overlayfs@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8" 
REPOSITORY                             TAG        IMAGE ID        CREATED           SIZE
ccr.ccs.tencentyun.com/piao/busybox    latest     d2b53584f580    2 hours ago       1.3 MiB
busybox                                latest     d2b53584f580    5 hours ago       1.3 MiB
nginx                                  alpine     5a0df7fb7c8c    6 days ago        16.0 KiB
nginx                                  latest     859ab6768a6f    6 hours ago       16.0 KiB
nginx                                  nerdctl    31645ca78f4a    50 seconds ago    24.0 KiB
                                                  31645ca78f4a    50 seconds ago    24.0 KiB
                                                  d2b53584f580    39 minutes ago    1.3 MiB

已经可以看见构建出来的镜像了,但是出现了WARN[0000] unparsable image name xxxxWarning的信息,在镜像列表里也看见有镜像tag为空的镜像和构建的镜像id一样,在nerdctl 的 github issue 上也有提到这个问题:https://github.com/containerd/nerdctl/issues/177,不过到现在为止还没有 FIX,幸运的是这只是一个⚠️,不会影响我们的使用。

使用构建的镜像启动容器测试

[root@one full]# nerdctl run -d -p 80:80 --name=nginx --restart=always nginx:nerdctl 
6d7656bff4288f8a3d1b7c9f4942ab90fcd421f4d529fc76ac7a53158786a1e3

如果还想在单机环境下使用docker compose,在containerd模式下也可以使用nerdctl 来兼容该功能,
同样我们可以使用nerdctl composenerdctl compose upnerdctl compose logsnerdctl compose buildnerdctl compose down等命令来管理conpose服务,这样使用containerd,nerdctl结合buildkit等工具就能完全代替docker在构建镜像,,镜像容器方面的管理功能了。

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 211,948评论 6 492
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,371评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,490评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,521评论 1 284
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,627评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,842评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,997评论 3 408
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,741评论 0 268
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,203评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,534评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,673评论 1 341
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,339评论 4 330
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,955评论 3 313
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,770评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,000评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,394评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,562评论 2 349

推荐阅读更多精彩内容